Snort blacklist subnet not working

  • Hi,

    I want to block a whole subnet of ip addresses inside snort (e.g. ) as I can see they are generating a lot of alerts. I have added this subnet to an IP List file and then applied that to my WAN IP Rep Blacklist files list.

    The problem is that ip addresses in this subnet are still generating alerts. I thought that the IP Rep blacklist would be processed before examing my rulesets. Is this right?

    How do I block a subnet before it gets to being processed by my snort rules?

    Thanks for the help!

  • It is processed first and then those IPs don't hit the other rules, but they will still generate a "blacklist" alert. Are you getting alerts beside the "blacklist" alert?

Log in to reply